Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
2 vulnerabilities found for Langflow Desktop by IBM
CVE-2026-3357 (GCVE-0-2026-3357)
Vulnerability from nvd – Published: 2026-04-08 00:19 – Updated: 2026-04-08 15:41
VLAI?
Title
IBM Langflow Desktop FAISS Vector Store Remote Code Execution via malicious Pickle file
Summary
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Langflow Desktop |
Affected:
1.6.0 , ≤ 1.8.2
(semver)
cpe:2.3:a:ibm:langflow_desktop:1.6.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:langflow_desktop:1.8.2:*:*:*:*:*:*:* |
Credits
This vulnerability was reported to IBM by Weblover.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T15:41:44.331099Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T15:41:55.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:langflow_desktop:1.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:langflow_desktop:1.8.2:*:*:*:*:*:*:*"
],
"product": "Langflow Desktop",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was reported to IBM by Weblover."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.\u003c/p\u003e"
}
],
"value": "IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T00:19:11.414Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7268428"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.8.3 or newer\u0026nbsp;\u003ca href=\"https://www.langflow.org/blog/langflow-1-8-desktop\" rel=\"nofollow\"\u003ehttps://www.langflow.org/blog/langflow-1-8-desktop\u003c/a\u003e\u003c/p\u003e\u003cp\u003eIf you are already using Langflow Desktop, upgrade in the application to version 1.8.3\u003c/p\u003e\u003cp\u003eTo install Langflow Desktop for the first time, visit \u003ca href=\"https://langflow.org/desktop\" rel=\"nofollow\"\u003eDownload Langflow Desktop\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.8.3 or newer\u00a0 https://www.langflow.org/blog/langflow-1-8-desktop \n\nIf you are already using Langflow Desktop, upgrade in the application to version 1.8.3\n\nTo install Langflow Desktop for the first time, visit Download Langflow Desktop https://langflow.org/desktop ."
}
],
"title": "IBM Langflow Desktop FAISS Vector Store Remote Code Execution via malicious Pickle file",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-3357",
"datePublished": "2026-04-08T00:19:11.414Z",
"dateReserved": "2026-02-27T18:17:58.431Z",
"dateUpdated": "2026-04-08T15:41:55.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3357 (GCVE-0-2026-3357)
Vulnerability from cvelistv5 – Published: 2026-04-08 00:19 – Updated: 2026-04-08 15:41
VLAI?
Title
IBM Langflow Desktop FAISS Vector Store Remote Code Execution via malicious Pickle file
Summary
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Langflow Desktop |
Affected:
1.6.0 , ≤ 1.8.2
(semver)
cpe:2.3:a:ibm:langflow_desktop:1.6.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:langflow_desktop:1.8.2:*:*:*:*:*:*:* |
Credits
This vulnerability was reported to IBM by Weblover.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T15:41:44.331099Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T15:41:55.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:langflow_desktop:1.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:langflow_desktop:1.8.2:*:*:*:*:*:*:*"
],
"product": "Langflow Desktop",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was reported to IBM by Weblover."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.\u003c/p\u003e"
}
],
"value": "IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T00:19:11.414Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7268428"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.8.3 or newer\u0026nbsp;\u003ca href=\"https://www.langflow.org/blog/langflow-1-8-desktop\" rel=\"nofollow\"\u003ehttps://www.langflow.org/blog/langflow-1-8-desktop\u003c/a\u003e\u003c/p\u003e\u003cp\u003eIf you are already using Langflow Desktop, upgrade in the application to version 1.8.3\u003c/p\u003e\u003cp\u003eTo install Langflow Desktop for the first time, visit \u003ca href=\"https://langflow.org/desktop\" rel=\"nofollow\"\u003eDownload Langflow Desktop\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.8.3 or newer\u00a0 https://www.langflow.org/blog/langflow-1-8-desktop \n\nIf you are already using Langflow Desktop, upgrade in the application to version 1.8.3\n\nTo install Langflow Desktop for the first time, visit Download Langflow Desktop https://langflow.org/desktop ."
}
],
"title": "IBM Langflow Desktop FAISS Vector Store Remote Code Execution via malicious Pickle file",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-3357",
"datePublished": "2026-04-08T00:19:11.414Z",
"dateReserved": "2026-02-27T18:17:58.431Z",
"dateUpdated": "2026-04-08T15:41:55.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}